RE: Apache issue

From: Derick Anderson (danderson_at_vikus.com)
Date: 06/22/05

  • Next message: Jan Ciesko (UNI): "generalInfo" 
    Date: Wed, 22 Jun 2005 11:24:23 -0400
To: <focus-linux@securityfocus.com>

    The Apache documentation at
    http://httpd.apache.org/docs-2.0/mod/mod_access.html#order will be
    helpful to you. Essentially, you must order the Allow,Deny statement the
    same way as your Allow from/Deny from statements. Example:

    <Directory /foo/bar>
            Order Deny,Allow
            Deny from all
            Allow from 192.168.1.0/255.255.255.0
    </Directory>

    Derick Anderson
     

    > -----Original Message-----
    > From: anita.salerno@talk21.com [mailto:anita.salerno@talk21.com]
    > Sent: Wednesday, June 22, 2005 3:44 AM
    > To: focus-linux@securityfocus.com
    > Subject: Apache issue
    >
    > Hello,
    > I'm using Apache/2.0.52 on Fedora Core 3. I've copied the
    > configuration file of the previous apache's version on a
    > Redhat, as I do everytime when upgrading to a new version of
    > Apache (I configured only the new httpd.conf manually), and
    > now the problem is that none of the security measures is
    > working, I'm bypassing all of them (.htaccess and ip list
    > specification).
    >
    > The mod_access module is enabled.
    >
    > In my httpd.conf, I have:
    >
    > AllowOverride All
    >
    > <Directory /www/html/directory/rzone>
    > Order Allow,Deny
    > Allow from 10.0.10.
    > Deny from all
    > </Directory>
    >
    >
    >
    > My .htaccess is:
    > AuthType Basic
    > AuthName Welcome
    > AuthUserFile /www/html/directory/rzone/.htmdp
    >
    > <Limit GET POST>
    > require valid-user
    >
    > Order Allow,Deny
    > Allow from 10.0.10.
    > Deny from all
    > </Limit>
    >
    > When I was desprate, I've configured the access file as follow:
    >
    > Order Allow,Deny
    > Deny from all
    >
    > and I still have access to the web site.
    >
    > Any idea ?
    >

  • Next message: Jan Ciesko (UNI): "generalInfo"

    Relevant Pages

    • Apache - Surprised by web access to .htaccess etc.
      ... and possibly propose a change to the distributed configuration sample. ... In the distributed Apache configuration, ... *could*, in fact, view the contents of .htaccess, .htpasswd etc. ... The "satisfy any" is taking effect, ...
      (comp.infosystems.www.servers.unix)
    • Re: is_dir true from cli, false from Apache
      ... I'm trying to get OpenDocMan working. ... The user apache owns and has full access to the ... of the configuration files beyond defining the site in Apache. ... configuration has no PHP directives, as can be seen in the forum post ...
      (comp.lang.php)
    • Re: (Another) simple benchmark
      ... I'm NOT using PHP - it was mentioned as a reason threaded apache is not widely used. ... This performance is objectively low even by itself, without any comparison with other operating systems (such as linux). ... What I *am* doing now is looking for someone who has a 4 CPU or bigger machine idle on which he/she can replicate this simple benchmark (it really IS simple - you need apache20 port in default configuration - everything's included) and confirm or contradict my results. ... If it's Linux, FreeBSD 4, FreeBSD 6, Windows, Solaris, ...
      (freebsd-performance)
    • Re: is_dir true from cli, false from Apache
      ... I'm trying to get OpenDocMan working. ... The user apache owns and has full access to the ... of the configuration files beyond defining the site in Apache. ... configuration has no PHP directives, as can be seen in the forum post ...
      (comp.lang.php)
    • Re: Dumb Apache server moves?
      ... >> mistakes regarding configuration of Apache? ... Any thoughts from the Apache world? ... > - Letting untrusted users execute CGI scripts ... What sort of problems does .htaccess cause? ...
      (comp.os.linux.security)